b'SEC.gov |  Program Officials\' Information Security Responsibilities\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat\'s New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nProgram Officials\' Information Security Responsibilities\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nAUDIT MEMORANDUM No. 24\nSeptember 10, 2002\nTo: Division Directors and Office Heads 1\nFrom:  Walter Stachnik, Inspector General\nRe:  Program Officials\' Information Security Responsibilities\nSince passage of the Government Information Security Reform Act (GISRA) on October 30, 2000, the Commission\'s Chief Information Officer (CIO) has taken action to implement a Commission-wide Security Program to comply with the spirit and intent of GISRA.  For example, the Commission\'s CIO has taken action to:\nEducate the Chairman, program offices and Commission staff on their information security responsibilities;\nIntegrate information security into the Commission\'s Information Technology Capital Planning (ITCPC) Process;\nPublish Commission-wide policies and procedures for certifying and accrediting Commission systems and applications; and,\nEstablish a standardized contracting vehicle to assist program offices in certifying and accrediting Commission systems and applications.\nHowever, the Commission\'s Information Security Program is not in full compliance with the GISRA.  Specifically, Division Directors and Office Heads have not yet been adequately integrated into the Program.  GISRA requires that Division Directors and Office Heads:\nAssess the risk to information processed by the systems supporting their mission areas;\nDetermine the appropriate level of security to protect information processed by their systems;\nMaintain up-to-date information system security plans, and\nEnsure that information system security controls are tested and evaluated.\nAlthough GISRA does not permit OIT to perform these duties, OIT has developed regulations for system certification and accreditation and has procured a contractor to help divisions and offices comply with GISRA.  The OIT Security Group has more information.\nWe are recommending the following actions to help the Commission achieve compliance with the mandates of GISRA.\nRecommendation A\nThe Office of Information Technology (OIT) should establish and publish Commission-wide definitions of what constitutes a "Major Application" and what constitutes a "General Support System".\nRecommendation B\nWithin 30 days, the Chairman or Executive Director should formally assign system security responsibilities (e.g., to certify the security of applications/systems) to division directors and office heads, as specified in GISRA.\nRecommendation C\nUpon notification, each division director and office head (see Attachment A) should explicitly assign the responsibility to complete mandated system security tasks (see Attachment B) to their Information Officer.  If the division or office does not have an Information Officer, these duties should be assigned to a senior manager having knowledge of the program and some knowledge of the office\'s use of information technology (IT) in conducting Commission operations.  These assignments should be completed and provided to the CIO within 5 days of being notified by the Chairman or Executive Director.\nRecommendation D\nWithin 30-days of assignment, each Information Officer should prioritize the certification and accreditation sequence of the applications and systems for their division or office, and provide the list to the Information Officers Council (IOC) and CIO.  For those divisions and offices not having an Information Officer, the senior manager assigned this responsibility should prioritize the certification and accreditation sequence, and provide the list to the IOC and CIO.\nIn implementing this recommendation, Information Officers and senior managers should meet with the CIO and IOC to establish agreement on which program office is assigned principal ownership of the Commission\'s application/system.  Once application/system ownership responsibilities are\nassigned to non-OIT program offices, the IOC and ITCPC should use this baseline to implement Recommendations E, F, and G below.\nRecommendation E\nThe IOC, in coordination with the CIO, should prioritize the portfolio of Commission applications and systems submitted by the Information Officers that require certification and accreditation.  All major applications and systems should be certified and accredited within 15 months of the publication date of this audit report.\nRecommendation F\nThe CIO should prioritize and schedule general support systems for certification and accreditation within 12 months of the publication date of this audit report.\nRecommendation G\nThe ITCPC should ensure that appropriate funds are programmed annually to certify and accredit applications and systems on a recurring basis, in compliance with GISRA.\nATTACHMENT A\nDIVISION DIRECTORS AND OFFICE HEADS\nES*  Mark Radke\nOS  Jonathan Katz\nED  James McConnell\nGC  Giovanni Preziosio\nCF  Alan Beller\nENF  Stephen Cutler\nENF**  James Clarkson\nIM  Paul Roye\nMR  Annette Nazareth\nALJ  Brenda Murray\nOAPM  Jayne Seidman\nCA  Robert Herdman\nOCOM  Brian Gross\nOPA  Christi Harlan\nOLA  Jayne Cobb\nOIEA  Susan Ferris-Wyderko\nOCIE  Lori Richards\nOEA  Lawrence Harris\nEEO  Deborah Balducchi\nOFIS  Kenneth Fogash\nOFM  Margaret Carpenter\nOIT  Michael Bartell\nOIG  Walter Stachnik\nOIA  Felice Friedman\n*  Executive Staff representing the Commissioners.\n** Director responsible for regional and district operations.\nATTACHMENT B\nSYSTEM SECURITY MANDATES THAT ARE THE RESPONSIBILITY OF COMMISSION DIVISION DIRECTORS AND OFFICE HEADS\nPublic Law (P.L. 106-398) including Title X, Subtitle G, "Government Information Security Reform (The Security Act)," amends the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35) by enacting a new subchapter on Information Security.  The new subchapter primarily addresses the program management and evaluation aspects of information security.  The Security Act essentially codifies the existing requirements of OMB Circular A-130, Appendix III, "Security of Federal Automated Resources."  The Security Act applies to all Executive agencies and pertains to all "program area" systems, including those systems currently in place, or planned.\nEnsuring the security of information systems is no longer the sole responsibility of the Commission\'s Chief Information Officer, or Office of Information Technology.  The Public Law establishes clear roles and responsibilities for the Chairman, Chief Information Officer, and Division Directors and Office Heads.  Accordingly, Division Directors and Office Heads are ultimately responsible for the security of their program areas, including the assessment of the security of the information technology applications used by their program area to accomplish the Commission\'s regulatory responsibilities.  Specific information security responsibilities of Commission program offices include:\nAssessing the risk to information processed by the systems supporting your program area;\nDetermining the appropriate level of security to protect the information processed by the systems supporting your program area;\nEstablishing and updating information systems security plans for your program area; and\nEnsuring that information security controls for the systems used in your core day-to-day operations are routinely tested and evaluated.\nThe Commission\'s CIO has established a contracting vehicle to ensure that each division and office consistently implements its information security responsibilities.  In addition, the Office of the Executive Director has approved a regulation that outlines the process and procedures for certifying and accrediting Commission systems.  Both tools should be used to assess the security of the information systems and applications that support specific program area responsibilities.\n1  See Attachment A\nhttp://www.sec.gov/about/oig/audit/audmemo24final.htm\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us'